The U.K. Lords Science and Technology committee released a report on August 10, 2007, in which it made certain recommendations relative to Internet Security as well as strong accusations against the U.K. government and software vendors. In addition, the report recommends holding software vendors liable for damages caused by security issues:

We therefore recommend that the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced

Chapter 4, Paragraph 4.41

Understandably, there has been a great deal of discussion about the topic of vendor liability. Many security professionals are against it, and Symantec, Sophos, and McAfee were quick to react:

However, a number of leading security vendors have claimed such a system would be difficult to manage. According to Symantec, such liability would not only have a negative effect on the software industry, but might harm the very consumers it was meant to protect. "Such an approach does not take into account the complexity of the IT industry. An approach along the line suggested in the report on the issue of liability could result in the opposite effect and risk reducing consumer choice and end users security and privacy," said a company statement released within hours of the report. Another problem with liability was the almost impossible task of determining who was to blame, said Graham Cluley of Sophos. ...A similar stance was taken by McAfee's Greg Day. "It would be very difficult to hold vendors responsible for breaches, as it really comes down to how solutions are implemented," he said. "You would have to ask, 'Did they have it configured correctly, updated and maintained?' Every business has different IT security requirements depending on their business and IT footprint. A security vendor supplies businesses with the tools, but it is down the business to use them correctly."

OK, but the report is very specific about the need to prove negligence. This is no different than any other industy in which manufacturers and service providers are required to perform in manner considered reasonable and prudent to protect the interests of those using their products and services. So I'm conceptually in agreement with holding software vendors liable for negligent behavior. So what is negligent behavior? Like anything else, this will be decided in the courts. However, vendors who fail to react in a reasonable and appropriate manner to known issues or who fail to practice generally accepted, secure programming practices, should probably tighten up their processes. Having said all this, there is one issue that can't be addressed by beating up software vendors--user ignorance and negligence. Users are quick to blame anyone else but themselves when their systems are compromised. However, the compromise is very often caused by business or personal user failure to follow best practice or to THINK before acting. This does present a problem for the courts and legislators when trying to pin down who exactly is liable. According to Alan Cox, a prominent open-source developer,

"You buy a PC, you add a word processor, you add a media player, and you add a couple of games. All these can interact in strange and wondrous ways and as you add more software the combination increases. The rational thing for a software vendor to do faced with liability would be to forbid the installation of any third party software on the system," he said.

(ibid)

The need for user education didn't go unnoticed by the Lords' report.

We recommend that the Department for Children, Schools and Families, in recognition of its revised remit, establish a project, involving a wide range of partners, to identify and promote new ways to educate the adult population, in particular parents, in online security and safety.

Some name

Independent security researcher and IT professional with over 36 years of experience in programming, network engineering and security. Author of four books (Just Enough Security, Microsoft Virtualization, Enterprise Security: A Practitioner's Guide, and Incident Management and Response Guide) and various papers on security management.